An increasing number of social engineering attacks have been observed lately targeting unsuspecting users to gain access to their email accounts. The pattern of these kind of spear phishing attacks are very convincing.
The attacker just needs to know the target’s email address and his or her mobile number. The attackers make use of the password recovery feature offered by many email providers, which helps users who have forgotten their passwords gain access to their accounts by, among other options, having a verification code sent to their mobile phone.
The majority of cases affect Gmail, Hotmail, and Yahoo Mail users.
Using Gmail as an example, the following steps describe how the attack works.
The following example shows how attackers pull off this attack against unsuspecting users:
The user generally registers his mobile phone number with Gmail for password recovery.
- If an attacker knows the user’s Gmail email address and phone number, he simply visits the Gmail login page and enters the user’s email address and then clicks on the “Need help?” link.
- He is offered several options, including “Enter the last password you remember” and “Confirm password reset on my [MAKE AND MODEL] phone,” but skips these until he is given the option “Get a verification code on my phone: [MOBILE PHONE NUMBER].”
- The attacker accepts this option and an SMS message with a six-digit verification code is sent to the user. The user receives a message saying “Your Google Verification code is [SIX-DIGIT CODE].”
- The attacker then sends the user an SMS message saying something like “Google has detected unusual activity on your account. Please respond with the code sent to your mobile device to stop unauthorized activity.” The user, believing that the message is legitimate, replies with the verification code. The attacker then uses the code to get a temporary password and gains access to the user’s email account.
- If the verification code doesn’t work, the victim will receive a message along the lines of: “We still detect an unauthorized sign-in to your account. Google just re-sent a verification code via text message: Please respond with it to help secure your Google account”
When the attacker gains access to the account they could for example, among other things, add an alternate email to the account and set it up so that copies of all messages would be forwarded to that address. The temporary password could then be given to the victim and they would have no idea their emails were being sent to the attacker.
- An SMS would be sent to the victim, saying something like: “Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD]”
This makes the phishing attack all the more believable. The victim thinks that the correspondence must be legitimate and their account is now secure.
This method is more difficult to detect, as it would have to be done by the user’s mobile software or by the mobile carrier.
Cyber criminals carrying out these attacks do not seem to be focused on financial gain such as stealing credit card numbers. They appear to be looking to gather information about their targets and are not targeting users en masse, instead going for specific individuals.
How to prevent these kind of spear phishing attacks?
Users should be suspicious of SMS messages asking about verification codes, especially if they did not request one. If one is uncertain about an unexpected request, users can check with their email provider to confirm if the message is legitimate. Legitimate messages from password recovery services will simply tell you the verification code and will not ask you to respond in any way.